Checking structure sizes before reading them from memory to avoid overflowing the buffer's stream.

include/core/SkReader32.h

 
 /*
  * Copyright 2008 The Android Open Source Project
  *
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  */
 
 
 #ifndef SkReader32_DEFINED
@@ skipping 88 matching lines @@
         memcpy(dst, fCurr, size);
         fCurr += SkAlign4(size);
         SkASSERT(fCurr <= fStop);
     }
 
     uint8_t readU8() { return (uint8_t)this->readInt(); }
     uint16_t readU16() { return (uint16_t)this->readInt(); }
     int32_t readS32() { return this->readInt(); }
     uint32_t readU32() { return this->readInt(); }
 
     void readPath(SkPath* path) {

[reed1, 2013/10/30 15:37:07]

now it seems that all of these read-helpers must return a bool, or some other
way to indicate that we did or did not initialize the output parameter.

[sugoi1, 2013/10/30 18:07:03]

Done.

-        size_t size = path->readFromMemory(this->peek());
+        size_t size = path->readFromMemory(this->peek(), this->available());
         SkASSERT(SkAlign4(size) == size);
-        (void)this->skip(size);
+        (void)this->skip(size > 0 ? size : this->available());

[reed1, 2013/10/30 15:37:07]

I think a quick comment in the code would help here:

// if readFromMemory fails (available was too small), it returns 0, in which
case we want to skip to the end

[sugoi1, 2013/10/30 18:07:03]

Done.

     }
 
     void readMatrix(SkMatrix* matrix) {
-        size_t size = matrix->readFromMemory(this->peek());
+        size_t size = matrix->readFromMemory(this->peek(), this->available());
         SkASSERT(SkAlign4(size) == size);
-        (void)this->skip(size);
+        (void)this->skip(size > 0 ? size : this->available());
     }
 
     SkRRect* readRRect(SkRRect* rrect) {
-        rrect->readFromMemory(this->skip(SkRRect::kSizeInMemory));
+        size_t size = rrect->readFromMemory(this->peek(), this->available());
+        SkASSERT(SkAlign4(size) == size);
+        (void)this->skip(size > 0 ? size : this->available());
         return rrect;
     }
 
     void readRegion(SkRegion* rgn) {
-        size_t size = rgn->readFromMemory(this->peek());
+        size_t size = rgn->readFromMemory(this->peek(), this->available());
         SkASSERT(SkAlign4(size) == size);
-        (void)this->skip(size);
+        (void)this->skip(size > 0 ? size : this->available());
     }
 
     /**
      *  Read the length of a string (written by SkWriter32::writeString) into
      *  len (if len is not NULL) and return the null-ternimated address of the
      *  string within the reader's buffer.
      */
     const char* readString(size_t* len = NULL);
 
     /**
      *  Read the string (written by SkWriter32::writeString) and return it in
      *  copy (if copy is not null). Return the length of the string.
      */
     size_t readIntoString(SkString* copy);
 
 private:
     // these are always 4-byte aligned
     const char* fCurr;  // current position within buffer
     const char* fStop;  // end of buffer
     const char* fBase;  // beginning of buffer
 
 #ifdef SK_DEBUG
     static bool ptr_align_4(const void* ptr) {
         return (((const char*)ptr - (const char*)NULL) & 3) == 0;
     }
 #endif
 };
 
 #endif